From 1647b3b660a803ee4bffadc658673dc560d85c63 Mon Sep 17 00:00:00 2001 From: Sokwhan Huh Date: Fri, 22 May 2026 14:54:40 -0700 Subject: [PATCH] Remove duplicate test policies and use the ones from cel-policy as SoT PiperOrigin-RevId: 919872992 --- .../src/test/java/dev/cel/policy/BUILD.bazel | 4 + .../cel/policy/CelPolicyCompilerImplTest.java | 43 +++-- .../java/dev/cel/policy/PolicyTestHelper.java | 76 ++++++-- repositories.bzl | 4 +- .../dev/cel/testing/testrunner/BUILD.bazel | 37 ++-- .../policy/compile_errors/config.yaml | 52 ----- .../compile_errors/expected_errors.baseline | 30 --- .../policy/compile_errors/policy.yaml | 45 ----- .../expected_errors.baseline | 6 + .../expected_errors.baseline | 6 + .../config.yaml | 22 --- .../expected_errors.baseline | 6 - .../policy.yaml | 23 --- .../config.yaml | 22 --- .../expected_errors.baseline | 6 - .../policy.yaml | 37 ---- .../resources/policy/context_pb/config.yaml | 19 -- .../resources/policy/context_pb/policy.yaml | 25 --- .../policy/context_pb/tests.textproto | 19 -- .../resources/policy/context_pb/tests.yaml | 35 ---- .../expected_errors.baseline | 3 + .../policy/errors_unreachable/config.yaml | 54 ------ .../expected_errors.baseline | 6 - .../policy/errors_unreachable/policy.yaml | 39 ---- .../policy/import/expected_errors.baseline | 6 + .../expected_errors.baseline | 6 + .../src/test/resources/policy/k8s/config.yaml | 33 ---- .../src/test/resources/policy/k8s/policy.yaml | 36 ---- .../src/test/resources/policy/k8s/tests.yaml | 32 ---- .../test/resources/policy/limits/config.yaml | 22 --- .../test/resources/policy/limits/policy.yaml | 50 ----- .../test/resources/policy/limits/tests.yaml | 42 ----- .../resources/policy/nested_rule/config.yaml | 22 --- .../resources/policy/nested_rule/policy.yaml | 38 ---- .../nested_rule/testrunner_tests.textproto | 79 -------- .../policy/nested_rule/testrunner_tests.yaml | 47 ----- .../resources/policy/nested_rule/tests.yaml | 41 ---- .../resources/policy/nested_rule2/config.yaml | 22 --- .../resources/policy/nested_rule2/policy.yaml | 40 ---- .../resources/policy/nested_rule2/tests.yaml | 52 ----- .../resources/policy/nested_rule3/config.yaml | 22 --- .../resources/policy/nested_rule3/policy.yaml | 39 ---- .../resources/policy/nested_rule3/tests.yaml | 52 ----- .../resources/policy/nested_rule4/config.yaml | 19 -- .../resources/policy/nested_rule4/policy.yaml | 24 --- .../resources/policy/nested_rule4/tests.yaml | 30 --- .../resources/policy/nested_rule5/config.yaml | 19 -- .../resources/policy/nested_rule5/policy.yaml | 30 --- .../resources/policy/nested_rule5/tests.yaml | 42 ----- .../resources/policy/nested_rule6/config.yaml | 19 -- .../resources/policy/nested_rule6/policy.yaml | 28 --- .../resources/policy/nested_rule6/tests.yaml | 24 --- .../resources/policy/nested_rule7/config.yaml | 19 -- .../resources/policy/nested_rule7/policy.yaml | 29 --- .../resources/policy/nested_rule7/tests.yaml | 42 ----- .../src/test/resources/policy/pb/config.yaml | 23 --- .../src/test/resources/policy/pb/policy.yaml | 36 ---- .../src/test/resources/policy/pb/tests.yaml | 34 ---- .../policy/required_labels/config.yaml | 32 ---- .../policy/required_labels/policy.yaml | 32 ---- .../policy/required_labels/tests.yaml | 80 -------- .../restricted_destinations/config.yaml | 52 ----- .../restricted_destinations/policy.yaml | 42 ----- .../policy/restricted_destinations/tests.yaml | 122 ------------ .../policy/syntax/expected_errors.baseline | 12 ++ .../expected_errors.baseline | 6 + .../unreachable/expected_errors.baseline | 6 + testing/testrunner/cel_java_test.bzl | 178 ++++++++---------- 68 files changed, 244 insertions(+), 2036 deletions(-) delete mode 100644 testing/src/test/resources/policy/compile_errors/config.yaml delete mode 100644 testing/src/test/resources/policy/compile_errors/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/compile_errors/policy.yaml create mode 100644 testing/src/test/resources/policy/compose_conflicting_output/expected_errors.baseline create mode 100644 testing/src/test/resources/policy/compose_conflicting_subrule/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_output/config.yaml delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_output/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_output/policy.yaml delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_subrule/config.yaml delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_subrule/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/compose_errors_conflicting_subrule/policy.yaml delete mode 100644 testing/src/test/resources/policy/context_pb/config.yaml delete mode 100644 testing/src/test/resources/policy/context_pb/policy.yaml delete mode 100644 testing/src/test/resources/policy/context_pb/tests.textproto delete mode 100644 testing/src/test/resources/policy/context_pb/tests.yaml create mode 100644 testing/src/test/resources/policy/duplicate_variable/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/errors_unreachable/config.yaml delete mode 100644 testing/src/test/resources/policy/errors_unreachable/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/errors_unreachable/policy.yaml create mode 100644 testing/src/test/resources/policy/import/expected_errors.baseline create mode 100644 testing/src/test/resources/policy/incompatible_outputs/expected_errors.baseline delete mode 100644 testing/src/test/resources/policy/k8s/config.yaml delete mode 100644 testing/src/test/resources/policy/k8s/policy.yaml delete mode 100644 testing/src/test/resources/policy/k8s/tests.yaml delete mode 100644 testing/src/test/resources/policy/limits/config.yaml delete mode 100644 testing/src/test/resources/policy/limits/policy.yaml delete mode 100644 testing/src/test/resources/policy/limits/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule/testrunner_tests.textproto delete mode 100644 testing/src/test/resources/policy/nested_rule/testrunner_tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule2/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule2/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule2/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule3/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule3/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule3/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule4/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule4/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule4/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule5/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule5/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule5/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule6/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule6/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule6/tests.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule7/config.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule7/policy.yaml delete mode 100644 testing/src/test/resources/policy/nested_rule7/tests.yaml delete mode 100644 testing/src/test/resources/policy/pb/config.yaml delete mode 100644 testing/src/test/resources/policy/pb/policy.yaml delete mode 100644 testing/src/test/resources/policy/pb/tests.yaml delete mode 100644 testing/src/test/resources/policy/required_labels/config.yaml delete mode 100644 testing/src/test/resources/policy/required_labels/policy.yaml delete mode 100644 testing/src/test/resources/policy/required_labels/tests.yaml delete mode 100644 testing/src/test/resources/policy/restricted_destinations/config.yaml delete mode 100644 testing/src/test/resources/policy/restricted_destinations/policy.yaml delete mode 100644 testing/src/test/resources/policy/restricted_destinations/tests.yaml create mode 100644 testing/src/test/resources/policy/syntax/expected_errors.baseline create mode 100644 testing/src/test/resources/policy/undeclared_reference/expected_errors.baseline create mode 100644 testing/src/test/resources/policy/unreachable/expected_errors.baseline diff --git a/policy/src/test/java/dev/cel/policy/BUILD.bazel b/policy/src/test/java/dev/cel/policy/BUILD.bazel index bc8a5d4b4..5fcfd5693 100644 --- a/policy/src/test/java/dev/cel/policy/BUILD.bazel +++ b/policy/src/test/java/dev/cel/policy/BUILD.bazel @@ -7,6 +7,9 @@ java_library( name = "tests", testonly = True, srcs = glob(["*.java"]), + data = [ + "@cel_policy//conformance:testdata", + ], resources = [ "//testing:policy_test_resources", ], @@ -39,6 +42,7 @@ java_library( "//runtime:function_binding", "//testing:cel_runtime_flavor", "//testing/protos:single_file_java_proto", + "@bazel_tools//tools/java/runfiles", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", "@maven//:com_google_guava_guava", "@maven//:com_google_testparameterinjector_test_parameter_injector", diff --git a/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java b/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java index b4065b60c..e9c2afed5 100644 --- a/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java +++ b/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java @@ -17,10 +17,12 @@ import static com.google.common.base.Strings.isNullOrEmpty; import static com.google.common.truth.Truth.assertThat; import static dev.cel.policy.PolicyTestHelper.readFromYaml; +import static java.nio.charset.StandardCharsets.UTF_8; import static org.junit.Assert.assertThrows; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; +import com.google.common.io.Resources; import com.google.testing.junit.testparameterinjector.TestParameter; import com.google.testing.junit.testparameterinjector.TestParameterInjector; import com.google.testing.junit.testparameterinjector.TestParameterValue; @@ -50,6 +52,7 @@ import dev.cel.testing.testdata.SingleFile; import dev.cel.testing.testdata.proto3.StandaloneGlobalEnum; import java.io.IOException; +import java.net.URL; import java.util.Map; import java.util.Optional; import org.junit.Test; @@ -112,9 +115,12 @@ public void compileYamlPolicy_withImportsOnNestedRules() throws Exception { public void compileYamlPolicy_containsCompilationError_throws( @TestParameter TestErrorYamlPolicy testCase) throws Exception { // Read config and produce an environment to compile policies - String configSource = testCase.readConfigYamlContent(); - CelEnvironment celEnvironment = ENVIRONMENT_PARSER.parse(configSource); - Cel cel = celEnvironment.extend(newCel(), CEL_OPTIONS); + Optional configSource = testCase.readConfigYamlContent(); + Cel baseCel = newCel(); + Cel cel = + configSource.isPresent() + ? ENVIRONMENT_PARSER.parse(configSource.get()).extend(baseCel, CEL_OPTIONS) + : baseCel; // Read the policy source String policySource = testCase.readPolicyYamlContent(); CelPolicy policy = POLICY_PARSER.parse(policySource, testCase.getPolicyFilePath()); @@ -509,10 +515,14 @@ private enum MultilineErrorTest { } private enum TestErrorYamlPolicy { - COMPILE_ERRORS("compile_errors"), - COMPOSE_ERRORS_CONFLICTING_OUTPUT("compose_errors_conflicting_output"), - COMPOSE_ERRORS_CONFLICTING_SUBRULE("compose_errors_conflicting_subrule"), - ERRORS_UNREACHABLE("errors_unreachable"); + COMPOSE_ERRORS_CONFLICTING_OUTPUT("compose_conflicting_output"), + COMPOSE_ERRORS_CONFLICTING_SUBRULE("compose_conflicting_subrule"), + ERRORS_UNREACHABLE("unreachable"), + DUPLICATE_VARIABLE("duplicate_variable"), + IMPORT("import"), + INCOMPATIBLE_OUTPUTS("incompatible_outputs"), + SYNTAX("syntax"), + UNDECLARED_REFERENCE("undeclared_reference"); private final String name; private final String policyFilePath; @@ -522,15 +532,26 @@ private String getPolicyFilePath() { } private String readPolicyYamlContent() throws IOException { - return readFromYaml(String.format("policy/%s/policy.yaml", name)); + return readFromYaml( + String.format( + "cel_policy/conformance/testdata/compile_errors/%s/policy.yaml", + name)); } - private String readConfigYamlContent() throws IOException { - return readFromYaml(String.format("policy/%s/config.yaml", name)); + private Optional readConfigYamlContent() throws IOException { + String rlocationPath = + String.format( + "cel_policy/conformance/testdata/compile_errors/%s/config.yaml", + name); + if (PolicyTestHelper.hasRunfile(rlocationPath)) { + return Optional.of(readFromYaml(rlocationPath)); + } + return Optional.empty(); } private String readExpectedErrorsBaseline() throws IOException { - return readFromYaml(String.format("policy/%s/expected_errors.baseline", name)); + URL url = Resources.getResource(String.format("policy/%s/expected_errors.baseline", name)); + return Resources.toString(url, UTF_8).trim(); } TestErrorYamlPolicy(String name) { diff --git a/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java b/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java index 6e918286b..3fe2e3322 100644 --- a/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java +++ b/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java @@ -18,9 +18,11 @@ import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Ascii; -import com.google.common.io.Resources; +import com.google.common.io.Files; +import com.google.devtools.build.runfiles.AutoBazelRepository; +import com.google.devtools.build.runfiles.Runfiles; +import java.io.File; import java.io.IOException; -import java.net.URL; import java.util.List; import java.util.Map; import org.yaml.snakeyaml.LoaderOptions; @@ -28,8 +30,11 @@ import org.yaml.snakeyaml.constructor.Constructor; /** Package-private class to assist with policy testing. */ +@AutoBazelRepository final class PolicyTestHelper { + private static final Runfiles runfiles = createRunfiles(); + enum TestYamlPolicy { NESTED_RULE( "nested_rule", @@ -74,11 +79,11 @@ enum TestYamlPolicy { "required_labels", true, "cel.@block([spec.labels.filter(@it:0:0, !(@it:0:0 in resource.labels)), spec.labels," - + " resource.labels, @index2.filter(@it:0:0, @it:0:0 in @index1 && @index1[@it:0:0] !=" - + " @index2[@it:0:0])], (@index0.size() > 0) ? optional.of(\"missing one or more" - + " required labels: [\"\" + @index0.join(\",\") + \"\"]\") : ((@index3.size() > 0) ?" - + " optional.of(\"invalid values provided on one or more labels: [\"\" +" - + " @index3.join(\",\") + \"\"]\") : optional.none()))"), + + " resource.labels.transformList(@it:0:1, @it2:0:1, @it:0:1 in @index1 && @it2:0:1 !=" + + " @index1[@it:0:1], @it:0:1)], (@index0.size() > 0) ? optional.of(\"missing one or" + + " more required labels: [\"\" + @index0.join(\"\", \"\") + \"\"]\") :" + + " ((@index2.size() > 0) ? optional.of(\"invalid values provided on one or more" + + " labels: [\"\" + @index2.join(\"\", \"\") + \"\"]\") : optional.none()))"), RESTRICTED_DESTINATIONS( "restricted_destinations", false, @@ -102,9 +107,10 @@ enum TestYamlPolicy { "cel.@block([spec.single_int32], (@index0 > 10) ? optional.of(\"invalid spec, got" + " single_int32=\" + string(@index0) + \", wanted <= 10\") : ((spec.standalone_enum ==" + " cel.expr.conformance.proto3.TestAllTypes.NestedEnum.BAR ||" - + " dev.cel.testing.testdata.proto3.StandaloneGlobalEnum.SGAR ==" - + " dev.cel.testing.testdata.proto3.StandaloneGlobalEnum.SGOO) ? optional.of(\"invalid" - + " spec, neither nested nor imported enums may refer to BAR\") : optional.none()))"), + + " cel.expr.conformance.proto3.TestAllTypes.NestedEnum.BAZ in" + + " spec.repeated_nested_enum || cel.expr.conformance.proto3.GlobalEnum.GAR ==" + + " cel.expr.conformance.proto3.GlobalEnum.GOO) ? optional.of(\"invalid spec, neither" + + " nested nor repeated enums may refer to BAR or BAZ\") : optional.none()))"), LIMITS( "limits", true, @@ -136,16 +142,23 @@ String getUnparsed() { } String readPolicyYamlContent() throws IOException { - return readFromYaml(String.format("policy/%s/policy.yaml", name)); + return readFromYaml( + String.format( + "cel_policy/conformance/testdata/%s/policy.yaml", name)); } String readConfigYamlContent() throws IOException { - return readFromYaml(String.format("policy/%s/config.yaml", name)); + return readFromYaml( + String.format( + "cel_policy/conformance/testdata/%s/config.yaml", name)); } PolicyTestSuite readTestYamlContent() throws IOException { Yaml yaml = new Yaml(new Constructor(PolicyTestSuite.class, new LoaderOptions())); - String testContent = readFile(String.format("policy/%s/tests.yaml", name)); + String testContent = + readFile( + String.format( + "cel_policy/conformance/testdata/%s/tests.yaml", name)); return yaml.load(testContent); } @@ -163,9 +176,18 @@ static String readFromYaml(String yamlPath) throws IOException { */ @VisibleForTesting public static final class PolicyTestSuite { + private String name; private String description; private List section; + public void setName(String name) { + this.name = name; + } + + public String getName() { + return name; + } + public void setDescription(String description) { this.description = description; } @@ -258,12 +280,32 @@ public void setExpr(String expr) { } } - private static URL getResource(String path) { - return Resources.getResource(Ascii.toLowerCase(path)); + private static String readFile(String rlocationPath) throws IOException { + String resolvedPath = runfiles.rlocation(Ascii.toLowerCase(rlocationPath)); + if (resolvedPath == null) { + throw new IOException("Unmapped runfile path: " + rlocationPath); + } + File file = new File(resolvedPath); + if (!file.exists()) { + throw new IOException( + String.format( + "Runfile not found on disk at '%s' (unresolved path: '%s')", + resolvedPath, rlocationPath)); + } + return Files.asCharSource(file, UTF_8).read(); + } + + static boolean hasRunfile(String rlocationPath) { + String resolvedPath = runfiles.rlocation(Ascii.toLowerCase(rlocationPath)); + return resolvedPath != null && new File(resolvedPath).exists(); } - private static String readFile(String path) throws IOException { - return Resources.toString(getResource(path), UTF_8); + private static Runfiles createRunfiles() { + try { + return Runfiles.preload().withSourceRepository(AutoBazelRepository_PolicyTestHelper.NAME); + } catch (IOException e) { + throw new RuntimeException("Failed to initialize Runfiles", e); + } } private PolicyTestHelper() {} diff --git a/repositories.bzl b/repositories.bzl index 88f01019a..cbb7b3832 100644 --- a/repositories.bzl +++ b/repositories.bzl @@ -34,8 +34,8 @@ def bazel_common_dependency(): ) def cel_policy_dependency(): - cel_policy_tag = "569292f1c4eaa41894c1e37ee94eb146e284bcfa" - cel_policy_sha = "5a68318d906f6ce18492ad6f82b5f8bb083fd9d694cf567d399216c11da03157" + cel_policy_tag = "e4c38defbbf34dfff2dc448dc58e93a9733ae8b1" + cel_policy_sha = "46378e0d17a16465899f9fefc94c3d44e1f40aedd8a31c9c0b2b6198048eabd6" http_archive( name = "cel_policy", sha256 = cel_policy_sha, diff --git a/testing/src/test/java/dev/cel/testing/testrunner/BUILD.bazel b/testing/src/test/java/dev/cel/testing/testrunner/BUILD.bazel index a12654d2c..69c53e5d9 100644 --- a/testing/src/test/java/dev/cel/testing/testrunner/BUILD.bazel +++ b/testing/src/test/java/dev/cel/testing/testrunner/BUILD.bazel @@ -157,14 +157,13 @@ java_test( cel_java_test( name = "test_runner_sample_yaml", - cel_expr = "nested_rule/policy.yaml", + cel_expr = "@cel_policy//conformance:testdata/nested_rule/policy.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", ], - test_data_path = "//testing/src/test/resources/policy", test_src = ":user_test", - test_suite = "nested_rule/testrunner_tests.yaml", + test_suite = "@cel_policy//conformance:testdata/nested_rule/tests.yaml", deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_java_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", @@ -173,7 +172,7 @@ cel_java_test( cel_java_test( name = "unknown_set_yaml", - cel_expr = "nested_rule/policy.yaml", + cel_expr = "@cel_policy//conformance:testdata/nested_rule/policy.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", @@ -211,15 +210,14 @@ cel_java_test( cel_java_test( name = "context_pb_user_test_runner_sample", - cel_expr = "context_pb/policy.yaml", - config = "context_pb/config.yaml", + cel_expr = "@cel_policy//conformance:testdata/context_pb/policy.yaml", + config = "@cel_policy//conformance:testdata/context_pb/config.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", ], - test_data_path = "//testing/src/test/resources/policy", test_src = ":context_pb_user_test", - test_suite = "context_pb/tests.yaml", + test_suite = "@cel_policy//conformance:testdata/context_pb/tests.yaml", deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_java_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", @@ -228,15 +226,14 @@ cel_java_test( cel_java_test( name = "additional_config_test_runner_sample", - cel_expr = "nested_rule/policy.yaml", - config = "nested_rule/config.yaml", + cel_expr = "@cel_policy//conformance:testdata/nested_rule/policy.yaml", + config = "@cel_policy//conformance:testdata/nested_rule/config.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", ], - test_data_path = "//testing/src/test/resources/policy", test_src = ":env_config_user_test", - test_suite = "nested_rule/testrunner_tests.textproto", + test_suite = "@cel_policy//conformance:testdata/nested_rule/tests.textproto", deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_java_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", @@ -245,14 +242,13 @@ cel_java_test( cel_java_test( name = "test_runner_sample", - cel_expr = "nested_rule/policy.yaml", + cel_expr = "@cel_policy//conformance:testdata/nested_rule/policy.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", ], - test_data_path = "//testing/src/test/resources/policy", test_src = ":user_test", - test_suite = "nested_rule/testrunner_tests.textproto", + test_suite = "@cel_policy//conformance:testdata/nested_rule/tests.textproto", deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_java_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", @@ -286,8 +282,8 @@ cel_java_test( cel_java_test( name = "context_message_user_test_runner_textproto_sample", - cel_expr = "context_pb/policy.yaml", - config = "context_pb/config.yaml", + cel_expr = "@cel_policy//conformance:testdata/context_pb/policy.yaml", + config = "@cel_policy//conformance:testdata/context_pb/config.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", @@ -303,15 +299,14 @@ cel_java_test( cel_java_test( name = "context_pb_user_test_runner_textproto_sample", - cel_expr = "context_pb/policy.yaml", - config = "context_pb/config.yaml", + cel_expr = "@cel_policy//conformance:testdata/context_pb/policy.yaml", + config = "@cel_policy//conformance:testdata/context_pb/config.yaml", proto_deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_proto", ], - test_data_path = "//testing/src/test/resources/policy", test_src = ":context_pb_user_test", - test_suite = "context_pb/tests.textproto", + test_suite = "@cel_policy//conformance:testdata/context_pb/tests.textproto", deps = [ "@cel_spec//proto/cel/expr/conformance/proto2:test_all_types_java_proto", "@cel_spec//proto/cel/expr/conformance/proto3:test_all_types_java_proto", diff --git a/testing/src/test/resources/policy/compile_errors/config.yaml b/testing/src/test/resources/policy/compile_errors/config.yaml deleted file mode 100644 index b9c8f9750..000000000 --- a/testing/src/test/resources/policy/compile_errors/config.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "labels" -extensions: - - name: "sets" -variables: - - name: "destination.ip" - type: - type_name: "string" - - name: "origin.ip" - type: - type_name: "string" - - name: "spec.restricted_destinations" - type: - type_name: "list" - params: - - type_name: "string" - - name: "spec.origin" - type: - type_name: "string" - - name: "request" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" - - name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" -functions: - - name: "locationCode" - overloads: - - id: "locationCode_string" - args: - - type_name: "string" - return: - type_name: "string" diff --git a/testing/src/test/resources/policy/compile_errors/expected_errors.baseline b/testing/src/test/resources/policy/compile_errors/expected_errors.baseline deleted file mode 100644 index 850ecce9d..000000000 --- a/testing/src/test/resources/policy/compile_errors/expected_errors.baseline +++ /dev/null @@ -1,30 +0,0 @@ -ERROR: compile_errors/policy.yaml:19:5: Error configuring import: invalid qualified name: punc.Import!, wanted name of the form 'qualified.name' - | punc.Import! - | ....^ -ERROR: compile_errors/policy.yaml:20:10: Error configuring import: invalid qualified name: bad import, wanted name of the form 'qualified.name' - | - name: "bad import" - | .........^ -ERROR: compile_errors/policy.yaml:24:19: undeclared reference to 'spec' (in container '') - | expression: spec.labels - | ..................^ -ERROR: compile_errors/policy.yaml:26:50: mismatched input 'resource' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', '-', '?', '+', '*', '/', '%%'} - | expression: variables.want.filter(l, !(lin resource.labels)) - | .................................................^ -ERROR: compile_errors/policy.yaml:26:66: extraneous input ')' expecting - | expression: variables.want.filter(l, !(lin resource.labels)) - | .................................................................^ -ERROR: compile_errors/policy.yaml:28:27: mismatched input '2' expecting {'}', ','} - | expression: "{1:305 2:569}" - | ..........................^ -ERROR: compile_errors/policy.yaml:36:75: extraneous input ']' expecting ')' - | "missing one or more required labels: %s".format(variables.missing]) - | ..........................................................................^ -ERROR: compile_errors/policy.yaml:39:67: undeclared reference to 'format' (in container '') - | "invalid values provided on one or more labels: %s".format([variables.invalid]) - | ..................................................................^ -ERROR: compile_errors/policy.yaml:40:19: condition must produce a boolean output. - | - condition: '1' - | ..................^ -ERROR: compile_errors/policy.yaml:43:24: found no matching overload for '_==_' applied to '(bool, string)' (candidates: (%A0, %A0)) - | - condition: false == "0" - | .......................^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/compile_errors/policy.yaml b/testing/src/test/resources/policy/compile_errors/policy.yaml deleted file mode 100644 index c17cd3056..000000000 --- a/testing/src/test/resources/policy/compile_errors/policy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "errors" -imports: -- name: " untrimmed.Import1 " -- name: > - punc.Import! -- name: "bad import" -rule: - variables: - - name: want - expression: spec.labels - - name: missing - expression: variables.want.filter(l, !(lin resource.labels)) - - name: bad_data - expression: "{1:305 2:569}" - - name: invalid - expression: > - resource.labels.filter(l, - l in variables.want && variables.want[l] != resource.labels[l]) - match: - - condition: variables.missing.size() > 0 - output: | - "missing one or more required labels: %s".format(variables.missing]) - - condition: variables.invalid.size() > 0 - output: | - "invalid values provided on one or more labels: %s".format([variables.invalid]) - - condition: '1' - output: | - "condition wrong type" - - condition: false == "0" - output: | - "condition type-check failure" diff --git a/testing/src/test/resources/policy/compose_conflicting_output/expected_errors.baseline b/testing/src/test/resources/policy/compose_conflicting_output/expected_errors.baseline new file mode 100644 index 000000000..241fca0f6 --- /dev/null +++ b/testing/src/test/resources/policy/compose_conflicting_output/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: compose_conflicting_output/policy.yaml:22:14: incompatible output types: block has output type map(string, bool), but previous outputs have type bool + | output: "false" + | .............^ +ERROR: compose_conflicting_output/policy.yaml:23:14: incompatible output types: block has output type map(string, bool), but previous outputs have type bool + | - output: "{'banned': true}" + | .............^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/compose_conflicting_subrule/expected_errors.baseline b/testing/src/test/resources/policy/compose_conflicting_subrule/expected_errors.baseline new file mode 100644 index 000000000..663821b52 --- /dev/null +++ b/testing/src/test/resources/policy/compose_conflicting_subrule/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: compose_conflicting_subrule/policy.yaml:34:18: failed composing the subrule 'banned regions' due to incompatible output types. + | output: "true" + | .................^ +ERROR: compose_conflicting_subrule/policy.yaml:36:14: failed composing the subrule 'banned regions' due to incompatible output types. + | output: "{'banned': false}" + | .............^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_output/config.yaml b/testing/src/test/resources/policy/compose_errors_conflicting_output/config.yaml deleted file mode 100644 index 5d048a225..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_output/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "labels" -variables: -- name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_output/expected_errors.baseline b/testing/src/test/resources/policy/compose_errors_conflicting_output/expected_errors.baseline deleted file mode 100644 index bc205c2ab..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_output/expected_errors.baseline +++ /dev/null @@ -1,6 +0,0 @@ -ERROR: compose_errors_conflicting_output/policy.yaml:22:14: incompatible output types: block has output type map(string, bool), but previous outputs have type bool - | output: "false" - | .............^ -ERROR: compose_errors_conflicting_output/policy.yaml:23:14: incompatible output types: block has output type map(string, bool), but previous outputs have type bool - | - output: "{'banned': true}" - | .............^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_output/policy.yaml b/testing/src/test/resources/policy/compose_errors_conflicting_output/policy.yaml deleted file mode 100644 index a5ed5c09c..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_output/policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule -rule: - variables: - - name: "permitted_regions" - expression: "['us', 'uk', 'es']" - match: - - condition: resource.origin in variables.permitted_regions - output: "false" - - output: "{'banned': true}" diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/config.yaml b/testing/src/test/resources/policy/compose_errors_conflicting_subrule/config.yaml deleted file mode 100644 index 5d048a225..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "labels" -variables: -- name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/expected_errors.baseline b/testing/src/test/resources/policy/compose_errors_conflicting_subrule/expected_errors.baseline deleted file mode 100644 index 66e48ea57..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/expected_errors.baseline +++ /dev/null @@ -1,6 +0,0 @@ -ERROR: compose_errors_conflicting_subrule/policy.yaml:34:18: failed composing the subrule 'banned regions' due to incompatible output types. - | output: "true" - | .................^ -ERROR: compose_errors_conflicting_subrule/policy.yaml:36:14: failed composing the subrule 'banned regions' due to incompatible output types. - | output: "{'banned': false}" - | .............^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/policy.yaml b/testing/src/test/resources/policy/compose_errors_conflicting_subrule/policy.yaml deleted file mode 100644 index 9df1df8d0..000000000 --- a/testing/src/test/resources/policy/compose_errors_conflicting_subrule/policy.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule -rule: - variables: - - name: "permitted_regions" - expression: "['us', 'uk', 'es']" - match: - - rule: - id: "banned regions" - description: > - determine whether the resource origin is in the banned - list. If the region is also in the permitted list, the - ban has no effect. - variables: - - name: "banned_regions" - expression: "{'us': false, 'ru': false, 'ir': false}" - match: - - condition: | - resource.origin in variables.banned_regions && - !(resource.origin in variables.permitted_regions) - output: "true" - - condition: resource.origin in variables.permitted_regions - output: "{'banned': false}" - - output: "{'banned': true}" diff --git a/testing/src/test/resources/policy/context_pb/config.yaml b/testing/src/test/resources/policy/context_pb/config.yaml deleted file mode 100644 index 2ca7fac42..000000000 --- a/testing/src/test/resources/policy/context_pb/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "context_pb" -container: "cel.expr.conformance.proto3" -extensions: - - name: "strings" - version: "latest" \ No newline at end of file diff --git a/testing/src/test/resources/policy/context_pb/policy.yaml b/testing/src/test/resources/policy/context_pb/policy.yaml deleted file mode 100644 index 8111bb76c..000000000 --- a/testing/src/test/resources/policy/context_pb/policy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "context_pb" -rule: - match: - - condition: > - single_int32 > TestAllTypes{single_int64: 10}.single_int64 - output: | - ["invalid spec, got single_int32=" , single_int32 , ", wanted <= 10"].join() - - condition: > - standalone_enum == TestAllTypes.NestedEnum.BAR - output: | - "invalid spec, no nested enums may refer to BAR" \ No newline at end of file diff --git a/testing/src/test/resources/policy/context_pb/tests.textproto b/testing/src/test/resources/policy/context_pb/tests.textproto deleted file mode 100644 index 77f97fa7c..000000000 --- a/testing/src/test/resources/policy/context_pb/tests.textproto +++ /dev/null @@ -1,19 +0,0 @@ -# proto-file: google3/third_party/cel/spec/proto/cel/expr/conformance/test/suite.proto -# proto-message: cel.expr.conformance.test.TestSuite - -name: "context_pb_tests" -description: "Protobuf input tests" -sections { - name: "valid" - description: "Valid protobuf input tests" - tests { - name: "good spec" - description: "Valid protobuf input tests" - input_context { - context_expr: "TestAllTypes{single_int32: 10}" - } - output { - result_expr: "optional.none()" - } - } -} diff --git a/testing/src/test/resources/policy/context_pb/tests.yaml b/testing/src/test/resources/policy/context_pb/tests.yaml deleted file mode 100644 index d37e2bee3..000000000 --- a/testing/src/test/resources/policy/context_pb/tests.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2025 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "context_pb_cel_tests" -description: "Protobuf input tests" -sections: - - name: "valid" - description: "Valid context_expr" - tests: - - name: "good spec" - description: "good spec" - context_expr: - "TestAllTypes{single_int32: 10}" - output: - expr: "optional.none()" - - name: "invalid" - description: "Invalid context_expr" - tests: - - name: "bad spec" - description: "bad spec" - context_expr: - "TestAllTypes{single_int32: 11}" - output: - value: "invalid spec, got single_int32=11, wanted <= 10" \ No newline at end of file diff --git a/testing/src/test/resources/policy/duplicate_variable/expected_errors.baseline b/testing/src/test/resources/policy/duplicate_variable/expected_errors.baseline new file mode 100644 index 000000000..b1025bb60 --- /dev/null +++ b/testing/src/test/resources/policy/duplicate_variable/expected_errors.baseline @@ -0,0 +1,3 @@ +ERROR: duplicate_variable/policy.yaml:23:19: overlapping declaration name 'variables.want' (type 'int' cannot be distinguished from 'string') + | - condition: "true" + | ..................^ diff --git a/testing/src/test/resources/policy/errors_unreachable/config.yaml b/testing/src/test/resources/policy/errors_unreachable/config.yaml deleted file mode 100644 index 8f79bb763..000000000 --- a/testing/src/test/resources/policy/errors_unreachable/config.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "errors_unreachable" -extensions: -- name: "sets" -- name: "strings" - version: "latest" -variables: -- name: "destination.ip" - type: - type_name: "string" -- name: "origin.ip" - type: - type_name: "string" -- name: "spec.restricted_destinations" - type: - type_name: "list" - params: - - type_name: "string" -- name: "spec.origin" - type: - type_name: "string" -- name: "request" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" -- name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" -functions: -- name: "locationCode" - overloads: - - id: "locationCode_string" - args: - - type_name: "string" - return: - type_name: "string" diff --git a/testing/src/test/resources/policy/errors_unreachable/expected_errors.baseline b/testing/src/test/resources/policy/errors_unreachable/expected_errors.baseline deleted file mode 100644 index f5f24acbe..000000000 --- a/testing/src/test/resources/policy/errors_unreachable/expected_errors.baseline +++ /dev/null @@ -1,6 +0,0 @@ -ERROR: errors_unreachable/policy.yaml:36:9: Match creates unreachable outputs - | - output: | - | ........^ -ERROR: errors_unreachable/policy.yaml:28:7: Rule creates unreachable outputs - | match: - | ......^ \ No newline at end of file diff --git a/testing/src/test/resources/policy/errors_unreachable/policy.yaml b/testing/src/test/resources/policy/errors_unreachable/policy.yaml deleted file mode 100644 index f43fd62c7..000000000 --- a/testing/src/test/resources/policy/errors_unreachable/policy.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "errors_unreachable" -rule: - variables: - - name: want - expression: request.labels - - name: missing - expression: variables.want.filter(l, !(l in resource.labels)) - - name: invalid - expression: > - resource.labels.filter(l, - l in variables.want && variables.want[l] != resource.labels[l]) - match: - - rule: - match: - - output: "''" - - condition: variables.missing.size() > 0 - output: | - "missing one or more required labels: [\"" + variables.missing.join(',') + "\"]" - - condition: variables.invalid.size() > 0 - rule: - match: - - output: | - "invalid values provided on one or more labels: [\"" + variables.invalid.join(',') + "\"]" - - condition: "false" - output: "'unreachable'" diff --git a/testing/src/test/resources/policy/import/expected_errors.baseline b/testing/src/test/resources/policy/import/expected_errors.baseline new file mode 100644 index 000000000..b88402b8c --- /dev/null +++ b/testing/src/test/resources/policy/import/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: import/policy.yaml:19:7: Error configuring import: invalid qualified name: punc.Import!, wanted name of the form 'qualified.name' + | punc.Import! + | ......^ +ERROR: import/policy.yaml:20:12: Error configuring import: invalid qualified name: bad import, wanted name of the form 'qualified.name' + | - name: "bad import" + | ...........^ diff --git a/testing/src/test/resources/policy/incompatible_outputs/expected_errors.baseline b/testing/src/test/resources/policy/incompatible_outputs/expected_errors.baseline new file mode 100644 index 000000000..be370847f --- /dev/null +++ b/testing/src/test/resources/policy/incompatible_outputs/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: incompatible_outputs/policy.yaml:19:16: incompatible output types: block has output type optional_type(string), but previous outputs have type bool + | output: "true" + | ...............^ +ERROR: incompatible_outputs/policy.yaml:21:16: incompatible output types: block has output type optional_type(string), but previous outputs have type bool + | output: "'false'" + | ...............^ diff --git a/testing/src/test/resources/policy/k8s/config.yaml b/testing/src/test/resources/policy/k8s/config.yaml deleted file mode 100644 index 4df8439ea..000000000 --- a/testing/src/test/resources/policy/k8s/config.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: k8s -extensions: -- name: "strings" - version: 2 -variables: -- name: "resource.labels" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "string" -- name: "resource.containers" - type: - type_name: "list" - params: - - type_name: "string" -- name: "resource.namespace" - type: - type_name: "string" diff --git a/testing/src/test/resources/policy/k8s/policy.yaml b/testing/src/test/resources/policy/k8s/policy.yaml deleted file mode 100644 index 9cc9782fa..000000000 --- a/testing/src/test/resources/policy/k8s/policy.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: k8s -kind: ValidatingAdmissionPolicy -metadata: - name: "policy.cel.dev" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: ["services"] - apiVersions: ["v3"] - operations: ["CREATE", "UPDATE"] - variables: - - name: env - expression: "resource.labels.?environment.orValue('prod')" - - name: break_glass - expression: "resource.labels.?break_glass.orValue('false') == 'true'" - validations: - - expression: > - variables.break_glass || - resource.containers.all(c, c.startsWith(variables.env + '.')) - messageExpression: > - 'only ' + variables.env + ' containers are allowed in namespace ' + resource.namespace diff --git a/testing/src/test/resources/policy/k8s/tests.yaml b/testing/src/test/resources/policy/k8s/tests.yaml deleted file mode 100644 index f3e7de790..000000000 --- a/testing/src/test/resources/policy/k8s/tests.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: K8s admission control tests -section: - - name: "invalid" - tests: - - name: "restricted_container" - input: - resource.namespace: - value: "dev.cel" - resource.labels: - value: - environment: "staging" - resource.containers: - value: - - staging.dev.cel.container1 - - staging.dev.cel.container2 - - preprod.dev.cel.container3 - output: - value: "only staging containers are allowed in namespace dev.cel" diff --git a/testing/src/test/resources/policy/limits/config.yaml b/testing/src/test/resources/policy/limits/config.yaml deleted file mode 100644 index fa6fc737c..000000000 --- a/testing/src/test/resources/policy/limits/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "limits" -extensions: -- name: "strings" - version: latest -variables: -- name: "now" - type: - type_name: "google.protobuf.Timestamp" \ No newline at end of file diff --git a/testing/src/test/resources/policy/limits/policy.yaml b/testing/src/test/resources/policy/limits/policy.yaml deleted file mode 100644 index 13c47c39b..000000000 --- a/testing/src/test/resources/policy/limits/policy.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "limits" -rule: - variables: - - name: "greeting" - expression: "'hello'" - - name: "farewell" - expression: "'goodbye'" - - name: "person" - expression: "'me'" - - name: "message_fmt" - expression: "'%s, %s'" - match: - - condition: | - now.getHours() >= 20 - rule: - id: "farewells" - variables: - - name: "message" - expression: > - variables.farewell + ', ' + variables.person -# TODO: replace when string.format is available -# variables.message_fmt.format([variables.farewell, -# variables.person]) - match: - - condition: > - now.getHours() < 21 - output: variables.message + "!" - - condition: > - now.getHours() < 22 - output: variables.message + "!!" - - condition: > - now.getHours() < 24 - output: variables.message + "!!!" - - output: > - variables.greeting + ', ' + variables.person -# variables.message_fmt.format([variables.greeting, variables.person]) TODO: replace when string.format is available \ No newline at end of file diff --git a/testing/src/test/resources/policy/limits/tests.yaml b/testing/src/test/resources/policy/limits/tests.yaml deleted file mode 100644 index 88772e075..000000000 --- a/testing/src/test/resources/policy/limits/tests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: Limits related tests -section: - - name: "now_after_hours" - tests: - - name: "7pm" - input: - now: - expr: "timestamp('2024-07-30T00:30:00Z')" - output: - value: "hello, me" - - name: "8pm" - input: - now: - expr: "timestamp('2024-07-30T20:30:00Z')" - output: - value: "goodbye, me!" - - name: "9pm" - input: - now: - expr: "timestamp('2024-07-30T21:30:00Z')" - output: - value: "goodbye, me!!" - - name: "11pm" - input: - now: - expr: "timestamp('2024-07-30T23:30:00Z')" - output: - value: "goodbye, me!!!" diff --git a/testing/src/test/resources/policy/nested_rule/config.yaml b/testing/src/test/resources/policy/nested_rule/config.yaml deleted file mode 100644 index bfd94b33c..000000000 --- a/testing/src/test/resources/policy/nested_rule/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule" -variables: - - name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" diff --git a/testing/src/test/resources/policy/nested_rule/policy.yaml b/testing/src/test/resources/policy/nested_rule/policy.yaml deleted file mode 100644 index 2fc566b85..000000000 --- a/testing/src/test/resources/policy/nested_rule/policy.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule -rule: - variables: - - name: "permitted_regions" - expression: "['us', 'uk', 'es']" - match: - - rule: - id: "banned regions" - description: > - determine whether the resource origin is in the banned - list. If the region is also in the permitted list, the - ban has no effect. - variables: - - name: "banned_regions" - expression: "{'us': false, 'ru': false, 'ir': false}" - match: - - condition: | - resource.origin in variables.banned_regions && - !(resource.origin in variables.permitted_regions) - output: "{'banned': true}" - - condition: resource.origin in variables.permitted_regions - output: "{'banned': false}" - - output: "{'banned': true}" - explanation: "'resource is in the banned region ' + resource.origin" \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule/testrunner_tests.textproto b/testing/src/test/resources/policy/nested_rule/testrunner_tests.textproto deleted file mode 100644 index 9a8dc691e..000000000 --- a/testing/src/test/resources/policy/nested_rule/testrunner_tests.textproto +++ /dev/null @@ -1,79 +0,0 @@ -# proto-file: google3/third_party/cel/spec/proto/cel/expr/conformance/test/suite.proto -# proto-message: cel.expr.conformance.test.TestSuite - -name: "nested_rule" -description: "Nested rule conformance tests" -sections { - name: "valid" - description: "Valid nested rule" - tests { - name: "restricted_origin" - description: "Restricted origin" - input { - key: "resource" - value { - value { - object_value { - [type.googleapis.com/google.protobuf.Struct] { - fields { - key: "origin" - value { string_value: "ir" } - } - } - } - } - } - } - output { - result_expr: "{'banned': true}" - } - } - tests { - name: "by_default" - description: "By default" - input { - key: "resource" - value { - value { - object_value { - [type.googleapis.com/google.protobuf.Struct] { - fields { - key: "origin" - value { string_value: "'de'" } - } - } - } - } - } - } - output { - result_expr: "{'banned': true}" - } - } -} - -sections { - name: "permitted" - description: "Permitted nested rule" - tests { - name: "valid_origin" - input { - key: "resource" - value { - value { - object_value { - [type.googleapis.com/google.protobuf.Struct] { - fields { - key: "origin" - value { string_value: "uk" } - } - } - } - } - } - } - output { - result_expr: "{'banned': false}" - } - } -} \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule/testrunner_tests.yaml b/testing/src/test/resources/policy/nested_rule/testrunner_tests.yaml deleted file mode 100644 index 414784ad8..000000000 --- a/testing/src/test/resources/policy/nested_rule/testrunner_tests.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule" -description: Nested rule conformance tests -sections: - - name: "banned" - description: "Tests for the banned section." - tests: - - name: "restricted_origin" - description: "Tests that the ir origin is restricted." - input: - resource: - value: - origin: "ir" - output: - expr: "{'banned': true}" - - name: "by_default" - description: "Tests that the de origin is restricted." - input: - resource: - value: - origin: "de" - output: - expr: "{'banned': true}" - - name: "permitted" - description: "Tests for the permitted section." - tests: - - name: "valid_origin" - description: "Tests that the valid origin is permitted." - input: - resource: - value: - origin: "uk" - output: - expr: "{'banned': false}" diff --git a/testing/src/test/resources/policy/nested_rule/tests.yaml b/testing/src/test/resources/policy/nested_rule/tests.yaml deleted file mode 100644 index 3f9f63437..000000000 --- a/testing/src/test/resources/policy/nested_rule/tests.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: Nested rule conformance tests -section: - - name: "banned" - tests: - - name: "restricted_origin" - input: - resource: - value: - origin: "ir" - output: - expr: "{'banned': true}" - - name: "by_default" - input: - resource: - value: - origin: "de" - output: - expr: "{'banned': true}" - - name: "permitted" - tests: - - name: "valid_origin" - input: - resource: - value: - origin: "uk" - output: - expr: "{'banned': false}" diff --git a/testing/src/test/resources/policy/nested_rule2/config.yaml b/testing/src/test/resources/policy/nested_rule2/config.yaml deleted file mode 100644 index 9ee6f0e49..000000000 --- a/testing/src/test/resources/policy/nested_rule2/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule2" -variables: -- name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule2/policy.yaml b/testing/src/test/resources/policy/nested_rule2/policy.yaml deleted file mode 100644 index fef91869f..000000000 --- a/testing/src/test/resources/policy/nested_rule2/policy.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule2 -rule: - variables: - - name: "permitted_regions" - expression: "['us', 'uk', 'es']" - match: - - condition: resource.?user.orValue("").startsWith("bad") - rule: - id: "banned regions" - description: > - determine whether the resource origin is in the banned - list. If the region is also in the permitted list, the - ban has no effect. - variables: - - name: "banned_regions" - expression: "{'us': false, 'ru': false, 'ir': false}" - match: - - condition: | - resource.origin in variables.banned_regions && - !(resource.origin in variables.permitted_regions) - output: "{'banned': 'restricted_region'}" - explanation: "'resource is in the banned region ' + resource.origin" - - output: "{'banned': 'bad_actor'}" - - condition: "!(resource.origin in variables.permitted_regions)" - output: "{'banned': 'unconfigured_region'}" - - output: "{}" \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule2/tests.yaml b/testing/src/test/resources/policy/nested_rule2/tests.yaml deleted file mode 100644 index 0e1a9ca69..000000000 --- a/testing/src/test/resources/policy/nested_rule2/tests.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: Nested rule conformance tests -section: - - name: "banned" - tests: - - name: "restricted_origin" - input: - resource: - value: - user: "bad-user" - origin: "ir" - output: - expr: "{'banned': 'restricted_region'}" - - name: "by_default" - input: - resource: - value: - user: "bad-user" - origin: "de" - output: - expr: "{'banned': 'bad_actor'}" - - name: "unconfigured_region" - input: - resource: - value: - user: "good-user" - origin: "de" - output: - expr: "{'banned': 'unconfigured_region'}" - - name: "permitted" - tests: - - name: "valid_origin" - input: - resource: - value: - user: "good-user" - origin: "uk" - output: - expr: "{}" diff --git a/testing/src/test/resources/policy/nested_rule3/config.yaml b/testing/src/test/resources/policy/nested_rule3/config.yaml deleted file mode 100644 index d9360d5c9..000000000 --- a/testing/src/test/resources/policy/nested_rule3/config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule3" -variables: -- name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule3/policy.yaml b/testing/src/test/resources/policy/nested_rule3/policy.yaml deleted file mode 100644 index 4ad765c8d..000000000 --- a/testing/src/test/resources/policy/nested_rule3/policy.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule3 -rule: - variables: - - name: "permitted_regions" - expression: "['us', 'uk', 'es']" - match: - - condition: resource.?user.orValue("").startsWith("bad") - rule: - id: "banned regions" - description: > - determine whether the resource origin is in the banned - list. If the region is also in the permitted list, the - ban has no effect. - variables: - - name: "banned_regions" - expression: "{'us': false, 'ru': false, 'ir': false}" - match: - - condition: | - resource.origin in variables.banned_regions && - !(resource.origin in variables.permitted_regions) - output: "{'banned': 'restricted_region'}" - explanation: "'resource is in the banned region ' + resource.origin" - - output: "{'banned': 'bad_actor'}" - - condition: "!(resource.origin in variables.permitted_regions)" - output: "{'banned': 'unconfigured_region'}" \ No newline at end of file diff --git a/testing/src/test/resources/policy/nested_rule3/tests.yaml b/testing/src/test/resources/policy/nested_rule3/tests.yaml deleted file mode 100644 index 9d993c65f..000000000 --- a/testing/src/test/resources/policy/nested_rule3/tests.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: Nested rule conformance tests -section: - - name: "banned" - tests: - - name: "restricted_origin" - input: - resource: - value: - user: "bad-user" - origin: "ir" - output: - expr: "{'banned': 'restricted_region'}" - - name: "by_default" - input: - resource: - value: - user: "bad-user" - origin: "de" - output: - expr: "{'banned': 'bad_actor'}" - - name: "unconfigured_region" - input: - resource: - value: - user: "good-user" - origin: "de" - output: - expr: "{'banned': 'unconfigured_region'}" - - name: "permitted" - tests: - - name: "valid_origin" - input: - resource: - value: - user: "good-user" - origin: "uk" - output: - expr: "optional.none()" diff --git a/testing/src/test/resources/policy/nested_rule4/config.yaml b/testing/src/test/resources/policy/nested_rule4/config.yaml deleted file mode 100644 index 5afb8c587..000000000 --- a/testing/src/test/resources/policy/nested_rule4/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule4" -variables: - - name: x - type: - type_name: int diff --git a/testing/src/test/resources/policy/nested_rule4/policy.yaml b/testing/src/test/resources/policy/nested_rule4/policy.yaml deleted file mode 100644 index ea53bfb25..000000000 --- a/testing/src/test/resources/policy/nested_rule4/policy.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule4 -rule: - match: - - condition: x > 0 - rule: - match: - - rule: - match: - - output: "true" - - output: "false" diff --git a/testing/src/test/resources/policy/nested_rule4/tests.yaml b/testing/src/test/resources/policy/nested_rule4/tests.yaml deleted file mode 100644 index 006eddb88..000000000 --- a/testing/src/test/resources/policy/nested_rule4/tests.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Nested rule tests which explore optional vs non-optional returns" -section: - - name: "valid" - tests: - - name: "x=0" - input: - x: - value: 0 - output: - value: false - - name: "x=2" - input: - x: - value: 2 - output: - value: true diff --git a/testing/src/test/resources/policy/nested_rule5/config.yaml b/testing/src/test/resources/policy/nested_rule5/config.yaml deleted file mode 100644 index 499450090..000000000 --- a/testing/src/test/resources/policy/nested_rule5/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule5" -variables: - - name: x - type: - type_name: int diff --git a/testing/src/test/resources/policy/nested_rule5/policy.yaml b/testing/src/test/resources/policy/nested_rule5/policy.yaml deleted file mode 100644 index e43dce188..000000000 --- a/testing/src/test/resources/policy/nested_rule5/policy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule5 -rule: - match: - - condition: x > 0 - rule: - match: - - rule: - match: - - condition: "x > 2" - output: "true" - - condition: x > 1 - rule: - match: - - condition: "x >= 2" - output: "true" - - output: "false" diff --git a/testing/src/test/resources/policy/nested_rule5/tests.yaml b/testing/src/test/resources/policy/nested_rule5/tests.yaml deleted file mode 100644 index 8cd794051..000000000 --- a/testing/src/test/resources/policy/nested_rule5/tests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Nested rule tests which explore optional vs non-optional returns" -section: - - name: "valid" - tests: - - name: "x=0" - input: - x: - value: 0 - output: - value: false - - name: "x=1" - input: - x: - value: 1 - output: - expr: "optional.none()" - - name: "x=2" - input: - x: - value: 2 - output: - expr: "optional.none()" - - name: "x=3" - input: - x: - value: 3 - output: - value: true diff --git a/testing/src/test/resources/policy/nested_rule6/config.yaml b/testing/src/test/resources/policy/nested_rule6/config.yaml deleted file mode 100644 index a5b1ee16b..000000000 --- a/testing/src/test/resources/policy/nested_rule6/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule6" -variables: - - name: x - type: - type_name: int diff --git a/testing/src/test/resources/policy/nested_rule6/policy.yaml b/testing/src/test/resources/policy/nested_rule6/policy.yaml deleted file mode 100644 index a3360e7c1..000000000 --- a/testing/src/test/resources/policy/nested_rule6/policy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule6 -rule: - match: - - rule: - match: - - rule: - match: - - condition: "x > 2" - output: "true" - - rule: - match: - - condition: "x > 3" - output: "true" - - output: "false" diff --git a/testing/src/test/resources/policy/nested_rule6/tests.yaml b/testing/src/test/resources/policy/nested_rule6/tests.yaml deleted file mode 100644 index fef586df0..000000000 --- a/testing/src/test/resources/policy/nested_rule6/tests.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Nested rule tests which explore optional vs non-optional returns" -section: - - name: "valid" - tests: - - name: "x=0" - input: - x: - value: 0 - output: - value: false diff --git a/testing/src/test/resources/policy/nested_rule7/config.yaml b/testing/src/test/resources/policy/nested_rule7/config.yaml deleted file mode 100644 index 74d4d8c2d..000000000 --- a/testing/src/test/resources/policy/nested_rule7/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "nested_rule7" -variables: - - name: x - type: - type_name: int diff --git a/testing/src/test/resources/policy/nested_rule7/policy.yaml b/testing/src/test/resources/policy/nested_rule7/policy.yaml deleted file mode 100644 index fcacd017e..000000000 --- a/testing/src/test/resources/policy/nested_rule7/policy.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: nested_rule7 -rule: - match: - - rule: - match: - - rule: - match: - - condition: "x > 2" - output: "true" - - rule: - match: - - condition: "x > 3" - output: "true" - - condition: "x > 1" - output: "false" diff --git a/testing/src/test/resources/policy/nested_rule7/tests.yaml b/testing/src/test/resources/policy/nested_rule7/tests.yaml deleted file mode 100644 index ec2896878..000000000 --- a/testing/src/test/resources/policy/nested_rule7/tests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Nested rule tests which explore optional vs non-optional returns" -section: - - name: "valid" - tests: - - name: "x=1" - input: - x: - value: 1 - output: - expr: "optional.none()" - - name: "x=2" - input: - x: - value: 2 - output: - value: false - - name: "x=3" - input: - x: - value: 3 - output: - value: true - - name: "x=4" - input: - x: - value: 4 - output: - value: true diff --git a/testing/src/test/resources/policy/pb/config.yaml b/testing/src/test/resources/policy/pb/config.yaml deleted file mode 100644 index d13ce2ae1..000000000 --- a/testing/src/test/resources/policy/pb/config.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "pb" -container: "cel.expr.conformance.proto3" -extensions: -- name: "strings" - version: 2 -variables: -- name: "spec" - type: - type_name: "cel.expr.conformance.proto3.TestAllTypes" diff --git a/testing/src/test/resources/policy/pb/policy.yaml b/testing/src/test/resources/policy/pb/policy.yaml deleted file mode 100644 index 5d2b1d22a..000000000 --- a/testing/src/test/resources/policy/pb/policy.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "pb" - -imports: -- name: cel.expr.conformance.proto3.TestAllTypes -- name: cel.expr.conformance.proto3.TestAllTypes.NestedEnum - # Note: Following enum is CEL-Java only. -- name: | - dev.cel.testing.testdata.proto3.StandaloneGlobalEnum - -rule: - match: - - condition: > - spec.single_int32 > TestAllTypes{single_int64: 10}.single_int64 - output: | - "invalid spec, got single_int32=" + string(spec.single_int32) + ", wanted <= 10" -# TODO: replace when string.format is available -# "invalid spec, got single_int32=%d, wanted <= 10".format([spec.single_int32]) - - condition: > - spec.standalone_enum == NestedEnum.BAR || - StandaloneGlobalEnum.SGAR == StandaloneGlobalEnum.SGOO - output: | - "invalid spec, neither nested nor imported enums may refer to BAR" \ No newline at end of file diff --git a/testing/src/test/resources/policy/pb/tests.yaml b/testing/src/test/resources/policy/pb/tests.yaml deleted file mode 100644 index 71cd56b57..000000000 --- a/testing/src/test/resources/policy/pb/tests.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Protobuf input tests" -section: - - name: "valid" - tests: - - name: "good spec" - input: - spec: - expr: > - TestAllTypes{single_int32: 10} - output: - expr: "optional.none()" - - name: "invalid" - tests: - - name: "bad spec" - input: - spec: - expr: > - TestAllTypes{single_int32: 11} - output: - value: "invalid spec, got single_int32=11, wanted <= 10" diff --git a/testing/src/test/resources/policy/required_labels/config.yaml b/testing/src/test/resources/policy/required_labels/config.yaml deleted file mode 100644 index 14311d763..000000000 --- a/testing/src/test/resources/policy/required_labels/config.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "labels" -extensions: - - name: "bindings" - - name: "strings" - version: 2 -variables: - - name: "spec" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" - - name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" diff --git a/testing/src/test/resources/policy/required_labels/policy.yaml b/testing/src/test/resources/policy/required_labels/policy.yaml deleted file mode 100644 index aca75290f..000000000 --- a/testing/src/test/resources/policy/required_labels/policy.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "required_labels" -rule: - variables: - - name: want - expression: spec.labels - - name: missing - expression: variables.want.filter(l, !(l in resource.labels)) - - name: invalid - expression: > - resource.labels.filter(l, - l in variables.want && variables.want[l] != resource.labels[l]) - match: - - condition: variables.missing.size() > 0 - output: | - "missing one or more required labels: [\"" + variables.missing.join(',') + "\"]" - - condition: variables.invalid.size() > 0 - output: | - "invalid values provided on one or more labels: [\"" + variables.invalid.join(',') + "\"]" diff --git a/testing/src/test/resources/policy/required_labels/tests.yaml b/testing/src/test/resources/policy/required_labels/tests.yaml deleted file mode 100644 index 4296c6914..000000000 --- a/testing/src/test/resources/policy/required_labels/tests.yaml +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: "Required labels conformance tests" -section: - - name: "valid" - tests: - - name: "matching" - input: - spec: - value: - labels: - env: prod - experiment: "group b" - resource: - value: - labels: - env: prod - experiment: "group b" - release: "v0.1.0" - output: - expr: "optional.none()" - - name: "missing" - tests: - - name: "env" - input: - spec: - value: - labels: - env: prod - experiment: "group b" - resource: - value: - labels: - experiment: "group b" - release: "v0.1.0" - output: - value: "missing one or more required labels: [\"env\"]" - - name: "experiment" - input: - spec: - value: - labels: - env: prod - experiment: "group b" - resource: - value: - labels: - env: staging - release: "v0.1.0" - output: - value: "missing one or more required labels: [\"experiment\"]" - - name: "invalid" - tests: - - name: "env" - input: - spec: - value: - labels: - env: prod - experiment: "group b" - resource: - value: - labels: - env: staging - experiment: "group b" - release: "v0.1.0" - output: - value: "invalid values provided on one or more labels: [\"env\"]" diff --git a/testing/src/test/resources/policy/restricted_destinations/config.yaml b/testing/src/test/resources/policy/restricted_destinations/config.yaml deleted file mode 100644 index b9c8f9750..000000000 --- a/testing/src/test/resources/policy/restricted_destinations/config.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "labels" -extensions: - - name: "sets" -variables: - - name: "destination.ip" - type: - type_name: "string" - - name: "origin.ip" - type: - type_name: "string" - - name: "spec.restricted_destinations" - type: - type_name: "list" - params: - - type_name: "string" - - name: "spec.origin" - type: - type_name: "string" - - name: "request" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" - - name: "resource" - type: - type_name: "map" - params: - - type_name: "string" - - type_name: "dyn" -functions: - - name: "locationCode" - overloads: - - id: "locationCode_string" - args: - - type_name: "string" - return: - type_name: "string" diff --git a/testing/src/test/resources/policy/restricted_destinations/policy.yaml b/testing/src/test/resources/policy/restricted_destinations/policy.yaml deleted file mode 100644 index 95fb454d7..000000000 --- a/testing/src/test/resources/policy/restricted_destinations/policy.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: "restricted_destinations" -rule: - variables: - - name: matches_origin_ip - expression: > - locationCode(origin.ip) == spec.origin - - name: has_nationality - expression: > - has(request.auth.claims.nationality) - - name: matches_nationality - expression: > - variables.has_nationality && request.auth.claims.nationality == spec.origin - - name: matches_dest_ip - expression: > - locationCode(destination.ip) in spec.restricted_destinations - - name: matches_dest_label - expression: > - resource.labels.location in spec.restricted_destinations - - name: matches_dest - expression: > - variables.matches_dest_ip || variables.matches_dest_label - match: - - condition: variables.matches_nationality && variables.matches_dest - output: "true" - - condition: > - !variables.has_nationality && variables.matches_origin_ip && variables.matches_dest - output: "true" - - output: "false" diff --git a/testing/src/test/resources/policy/restricted_destinations/tests.yaml b/testing/src/test/resources/policy/restricted_destinations/tests.yaml deleted file mode 100644 index f7ae36550..000000000 --- a/testing/src/test/resources/policy/restricted_destinations/tests.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -description: Restricted destinations conformance tests. -section: - - name: "valid" - tests: - - name: "ip_allowed" - input: - spec.origin: - value: "us" - spec.restricted_destinations: - value: - - "cu" - - "ir" - - "kp" - - "sd" - - "sy" - destination.ip: - value: "10.0.0.1" - origin.ip: - value: "10.0.0.1" - request: - value: - auth: - claims: {} - resource: - value: - name: "/company/acme/secrets/doomsday-device" - labels: - location: "us" - output: - value: false # false means unrestricted - - name: "nationality_allowed" - input: - spec.origin: - value: "us" - spec.restricted_destinations: - value: - - "cu" - - "ir" - - "kp" - - "sd" - - "sy" - destination.ip: - value: "10.0.0.1" - request: - value: - auth: - claims: - nationality: "us" - resource: - value: - name: "/company/acme/secrets/doomsday-device" - labels: - location: "us" - output: - value: false - - name: "invalid" - tests: - - name: "destination_ip_prohibited" - input: - spec.origin: - value: "us" - spec.restricted_destinations: - value: - - "cu" - - "ir" - - "kp" - - "sd" - - "sy" - destination.ip: - value: "123.123.123.123" - origin.ip: - value: "10.0.0.1" - request: - value: - auth: - claims: {} - resource: - value: - name: "/company/acme/secrets/doomsday-device" - labels: - location: "us" - output: - value: true # true means restricted - - name: "resource_nationality_prohibited" - input: - spec.origin: - value: "us" - spec.restricted_destinations: - value: - - "cu" - - "ir" - - "kp" - - "sd" - - "sy" - destination.ip: - value: "10.0.0.1" - request: - value: - auth: - claims: - nationality: "us" - resource: - value: - name: "/company/acme/secrets/doomsday-device" - labels: - location: "cu" - output: - value: true diff --git a/testing/src/test/resources/policy/syntax/expected_errors.baseline b/testing/src/test/resources/policy/syntax/expected_errors.baseline new file mode 100644 index 000000000..dd6af277e --- /dev/null +++ b/testing/src/test/resources/policy/syntax/expected_errors.baseline @@ -0,0 +1,12 @@ +ERROR: syntax/policy.yaml:19:51: mismatched input 'resource' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', '-', '?', '+', '*', '/', '%%'} + | expression: "variables.want.filter(l, !(lin resource.labels))" + | ..................................................^ +ERROR: syntax/policy.yaml:19:67: extraneous input ')' expecting + | expression: "variables.want.filter(l, !(lin resource.labels))" + | ..................................................................^ +ERROR: syntax/policy.yaml:21:27: mismatched input '2' expecting {'}', ','} + | expression: "{1:305 2:569}" + | ..........................^ +ERROR: syntax/policy.yaml:24:33: extraneous input ']' expecting + | output: "variables.missing]" + | ................................^ diff --git a/testing/src/test/resources/policy/undeclared_reference/expected_errors.baseline b/testing/src/test/resources/policy/undeclared_reference/expected_errors.baseline new file mode 100644 index 000000000..4b887180e --- /dev/null +++ b/testing/src/test/resources/policy/undeclared_reference/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: undeclared_reference/policy.yaml:19:19: undeclared reference to 'spec' (in container '') + | expression: spec.labels + | ..................^ +ERROR: undeclared_reference/policy.yaml:23:29: undeclared reference to 'format' (in container '') + | "invalid: %s".format([variables.val]) + | ............................^ diff --git a/testing/src/test/resources/policy/unreachable/expected_errors.baseline b/testing/src/test/resources/policy/unreachable/expected_errors.baseline new file mode 100644 index 000000000..768f0eeb1 --- /dev/null +++ b/testing/src/test/resources/policy/unreachable/expected_errors.baseline @@ -0,0 +1,6 @@ +ERROR: unreachable/policy.yaml:36:9: Match creates unreachable outputs + | - output: | + | ........^ +ERROR: unreachable/policy.yaml:28:7: Rule creates unreachable outputs + | match: + | ......^ \ No newline at end of file diff --git a/testing/testrunner/cel_java_test.bzl b/testing/testrunner/cel_java_test.bzl index b3457f6f0..450b62af3 100644 --- a/testing/testrunner/cel_java_test.bzl +++ b/testing/testrunner/cel_java_test.bzl @@ -20,6 +20,9 @@ load("@rules_shell//shell:sh_test.bzl", "sh_test") load("@bazel_skylib//lib:paths.bzl", "paths") load("@com_google_protobuf//bazel:java_proto_library.bzl", "java_proto_library") +def _is_label(s): + return s.startswith("//") or s.startswith(":") or s.startswith("@") + def cel_java_test( name, cel_expr, @@ -33,145 +36,124 @@ def cel_java_test( enable_coverage = False, test_data_path = "", data = []): - """trigger the java impl of the CEL test runner. + """Triggers the Java impl of the CEL test runner. - This rule will generate a java_binary and a run_test rule. This rule will be used to trigger - the java impl of the cel_test rule. + This rule generates a java_binary and a run_test rule. - Note: This rule is to be used only for OSS until cel/expr folder is made available in OSS. Internally, - the cel_test rule is supposed to be used. + Note: This rule is to be used only for OSS until cel/expr folder is made available in OSS. + Internally, the cel_test rule is supposed to be used. Args: - name: str name for the generated artifact - test_suite: str label of a file containing a test suite. The file should have a .yaml or a - .textproto extension. - cel_expr: cel expression to be evaluated. This could be a raw expression or a compiled - expression or cel policy. - is_raw_expr: bool whether the cel_expr is a raw expression or not. If true, the cel_expr - will be used as is and would not be treated as a file path. - filegroup: str label of a filegroup containing the test suite, the config and the checked - expression. - config: str label of a file containing a google.api.expr.conformance.Environment message. - The file should have the .textproto extension. + name: str name for the generated artifact. + cel_expr: cel expression to be evaluated (raw expression, compiled expression, or policy). test_src: user's test class build target. + is_raw_expr: bool whether the cel_expr is a raw expression (not treated as a file path). + test_suite: str label of a test suite file (.yaml or .textproto). + filegroup: str label of a filegroup containing the test suite, config, and checked expression. + config: str label of a google.api.expr.conformance.Environment textproto file. deps: list of dependencies for the java_binary rule. + proto_deps: list of proto_library dependencies for the test. + enable_coverage: bool whether to enable coverage for the test. + test_data_path: absolute path of the directory containing the test files (e.g., "//foo/bar"). data: list of data dependencies for the java_binary rule. - proto_deps: str label of the proto dependencies for the test. Note: This only supports proto_library rules. - enable_coverage: bool whether to enable coverage for the test. This is needed only if the - test runner is being used for gathering coverage data. - test_data_path: absolute path of the directory containing the test files. This is needed only - if the test files are not located in the same directory as the BUILD file. This - would be of the form "//foo/bar". """ + jvm_flags = [] - data, test_data_path = _update_data_with_test_files(data, filegroup, test_data_path, config, test_suite, cel_expr, is_raw_expr) + # Avoid mutating the original data list passed into the macro + resolved_data = list(data) + resolved_deps = list(deps) + + # Normalize paths + pkg_name = native.package_name() + test_data_dir = test_data_path.lstrip("/") if test_data_path else pkg_name - # Since the test_data_path is of the form "//foo/bar", we need to strip the leading "/" to get - # the absolute path. - test_data_path = test_data_path.lstrip("/") + # Add filegroup if provided + if filegroup: + resolved_data.append(filegroup) - if test_suite != "": - test_suite = test_data_path + "/" + test_suite - jvm_flags.append("-Dtest_suite_path=%s" % test_suite) + def _process_file_arg(file_val, flag_name): + """Helper to append JVM flags and resolve data targets for file inputs.""" + if not file_val: + return - if config != "": - config = test_data_path + "/" + config - jvm_flags.append("-Dconfig_path=%s" % config) + if _is_label(file_val): + jvm_flags.append("-D{}=$(location {})".format(flag_name, file_val)) + resolved_data.append(file_val) + else: + jvm_flags.append("-D{}={}/{}".format(flag_name, test_data_dir, file_val)) + # If no filegroup is provided, we must add the file directly to data + if not filegroup: + target = file_val if test_data_dir == pkg_name else "//{}:{}".format(test_data_dir, file_val) + resolved_data.append(target) + + # Process standard file inputs + _process_file_arg(test_suite, "test_suite_path") + _process_file_arg(config, "config_path") + + # Process cel_expr (has specialized fallback logic) _, cel_expr_format = paths.split_extension(cel_expr) + is_valid_cel_ext = cel_expr_format in [".cel", ".celpolicy", ".yaml"] - if is_valid_cel_file_format(file_extension = cel_expr_format) == True: - jvm_flags.append("-Dcel_expr=%s" % test_data_path + "/" + cel_expr) - elif is_raw_expr == True: - jvm_flags.append("-Dcel_expr='%s'" % cel_expr) - elif not is_valid_cel_file_format(file_extension = cel_expr_format) and not is_raw_expr: + if _is_label(cel_expr): jvm_flags.append("-Dcel_expr=$(location {})".format(cel_expr)) + resolved_data.append(cel_expr) + elif is_raw_expr: + jvm_flags.append("-Dcel_expr='{}'".format(cel_expr)) + elif is_valid_cel_ext: + jvm_flags.append("-Dcel_expr={}/{}".format(test_data_dir, cel_expr)) + if not filegroup: + target = cel_expr if test_data_dir == pkg_name else "//{}:{}".format(test_data_dir, cel_expr) + resolved_data.append(target) + else: + # Fallback: Treat as a local target + jvm_flags.append("-Dcel_expr=$(location {})".format(cel_expr)) + resolved_data.append(cel_expr) + # Process Proto Dependencies if proto_deps: + descriptor_set_name = name + "_proto_descriptor_set" + descriptor_set_path = ":" + descriptor_set_name + proto_descriptor_set( - name = name + "_proto_descriptor_set", + name = descriptor_set_name, deps = proto_deps, ) - descriptor_set_path = ":" + name + "_proto_descriptor_set" - data.append(descriptor_set_path) - jvm_flags.append("-Dfile_descriptor_set_path=$(location {})".format(descriptor_set_path)) - java_proto_library( - name = name + "_proto_descriptor_set_java_proto", + name = descriptor_set_name + "_java_proto", deps = proto_deps, ) - deps = deps + [":" + name + "_proto_descriptor_set_java_proto"] - jvm_flags.append("-Dis_raw_expr=%s" % is_raw_expr) - jvm_flags.append("-Dis_coverage_enabled=%s" % enable_coverage) + resolved_data.append(descriptor_set_path) + resolved_deps.append(":" + descriptor_set_name + "_java_proto") + jvm_flags.append("-Dfile_descriptor_set_path=$(location {})".format(descriptor_set_path)) + + # Add boolean flags + jvm_flags.append("-Dis_raw_expr={}".format(is_raw_expr)) + jvm_flags.append("-Dis_coverage_enabled={}".format(enable_coverage)) + # Generate the runner binary java_binary( name = name + "_test_runner_binary", srcs = ["//testing/testrunner:test_runner_binary"], - data = data, + data = resolved_data, jvm_flags = jvm_flags, testonly = True, main_class = "dev.cel.testing.testrunner.TestRunnerBinary", - runtime_deps = [ - test_src, - ], + runtime_deps = [test_src], deps = [ "//testing/testrunner:test_executor", "@maven//:com_google_guava_guava", "@bazel_tools//tools/java/runfiles:runfiles", - ] + deps, + ] + resolved_deps, ) + # Generate the execution shell test sh_test( name = name, tags = ["nomsan"], srcs = ["//testing/testrunner:run_testrunner_binary.sh"], - data = [ - ":%s_test_runner_binary" % name, - ], - args = [ - name, - ], + data = [":{}_test_runner_binary".format(name)], + args = [name], ) - -def _update_data_with_test_files(data, filegroup, test_data_path, config, test_suite, cel_expr, is_raw_expr): - """Updates the data with the test files.""" - - _, cel_expr_format = paths.split_extension(cel_expr) - if filegroup != "": - data = data + [filegroup] - elif test_data_path != "" and test_data_path != native.package_name(): - if config != "": - data = data + [test_data_path + ":" + config] - if test_suite != "": - data = data + [test_data_path + ":" + test_suite] - if is_valid_cel_file_format(file_extension = cel_expr_format): - data = data + [test_data_path + ":" + cel_expr] - else: - test_data_path = native.package_name() - if config != "": - data = data + [config] - if test_suite != "": - data = data + [test_suite] - if is_valid_cel_file_format(file_extension = cel_expr_format): - data = data + [cel_expr] - - if not is_valid_cel_file_format(file_extension = cel_expr_format) and not is_raw_expr: - data = data + [cel_expr] - return data, test_data_path - -def is_valid_cel_file_format(file_extension): - """Checks if the file extension is a valid CEL file format. - - Args: - file_extension: The file extension to check. - - Returns: - True if the file extension is a valid CEL file format, False otherwise. - """ - return file_extension in [ - ".cel", - ".celpolicy", - ".yaml", - ]